Disable verbose error messages for messages that are displayed to users without special privileges.
Use context-sensitive server side output encoding, a combination of escaping, filtering, and validating string data when handling user input and output from the server (cross-site scripting (XSS))
Replace special characters with escape codes for those characters.
Remove dangerous characters from the data received as input. This is not enough. There are some techniques adversaries can use to evade such filters.
Validate browser-supplied input for it to only contain expected characters. Use whitelisting of acceptable characters and reject everything else.
Use client and server-side validation. Python validation can be used for making sure only expected data makes it into the application, and to inform users immediately of issues with their input.
Establish and maintain control over all inputs
Establish and maintain control over all outputs
Mitigate the language specific most common vulnerabilities